Merge pull request from GHSA-mj6m-246h-9w56

* only allow access to specific PHP files in their specific location

* same change is needed in .htaccess file scaffolded in mautic/core-lib

* improved wording in comments

Co-authored-by: Ruth Cheesley <ruth.cheesley@acquia.com>

* loosened regex to allow index_dev.php requests

Co-authored-by: Ruth Cheesley <ruth.cheesley@acquia.com>

.htaccess

@@ -109,10 +109,10 @@
         Require all denied
     </FilesMatch>
 
-    # Except those whitelisted bellow.
-    <FilesMatch "^(index|index_dev|filemanager|upgrade)\.php$">
+    # Except those allowed below.
+    <If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade)\.php#">
         Require all granted
-    </FilesMatch>
+    </If>
 </IfModule>
 
 # Fallback for Apache < 2.4
@@ -129,10 +129,10 @@
         Deny from all
     </FilesMatch>
 
-    # Except those whitelisted bellow.
-    <FilesMatch "^(index|index_dev|filemanager|upgrade)\.php$">
+    # Except those allowed below.
+    <If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade)\.php#">
         Order allow,deny
         Allow from all
-    </FilesMatch>
+    </If>
 </IfModule>
 

app/assets/scaffold/files/htaccess

@@ -109,10 +109,10 @@
         Require all denied
     </FilesMatch>
 
-    # Except those whitelisted bellow.
-    <FilesMatch "^(index|index_dev|filemanager|upgrade)\.php$">
+    # Except those allowed below.
+    <If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade)\.php#">
         Require all granted
-    </FilesMatch>
+    </If>
 </IfModule>
 
 # Fallback for Apache < 2.4
@@ -129,10 +129,9 @@
         Deny from all
     </FilesMatch>
 
-    # Except those whitelisted bellow.
-    <FilesMatch "^(index|index_dev|filemanager|upgrade)\.php$">
+    # Except those allowed below.
+    <If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade)\.php#">
         Order allow,deny
         Allow from all
-    </FilesMatch>
+    </If>
 </IfModule>
-